b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Irving A. Williamson, Chairman\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n                                        David S. Johanson\n                                        Meredith M. Broadbent\n\x0c         UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                             OFFICE OF INSPECTOR GENERAL\n                                     WASHINGTON, DC 20436\n\n\n\n\nOctober 19, 2012                                                                  IG-KK-017\n\n\nChairman Williamson:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report, Audit of Citrix\nRemote Access, OIG-AR-13-01. This audit focused on whether the Commission\xe2\x80\x99s Citrix\nplatform provided the capabilities necessary for Commission staff to effectively and efficiently\nperform their work remotely. In finalizing this report, we analyzed management\xe2\x80\x99s comments to\nour draft report and have included those comments in their entirety as Appendix A.\n\nThe audit identified several problem areas that contributed to a decrease in staff productivity\nwhile working remotely. This report contains 11 recommendations to address the problem areas.\nIn the next 30 days, please provide me with your management decisions describing the specific\nactions that you will take to implement each recommendation.\n\nThank you for the courtesies extended to the auditors during this review.\n\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                               U.S. International Trade Commission\n                                               Audit Report\n\n\n\n\n                                       Table of Contents\nResults of Audit............................................................................................. 1\n\nProblem Areas............................................................................................... 2\n   Problem Area 1: The Commission does not provide all staff with remote access that\n   approximates the standard office PC experience............................................................ 2\n\n   Problem Area 2: The Citrix configuration caused unnecessary delays and errors. ....... 4\n\n   Problem Area 3: The partial information reported by Citrix monitoring was\n   insufficient to manage the remote access platform......................................................... 7\n\nManagement Comments and Our Analysis ............................................. 12\nObjective, Scope, and Methodology.......................................................... 12\n\nAppendix A: Management Comments on Draft Report..........................A\n\n\n\n\n                                                     -i-\n\x0c\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\n                                  Results of Audit\nThe purpose of this audit was to answer the question:\n\n       Does the USITC\xe2\x80\x99s Citrix platform provide the capabilities necessary for\n       Commission staff to effectively and efficiently perform their work remotely?\n\nNo. The Commission\xe2\x80\x99s Citrix platform does not provide the capabilities necessary for\nCommission staff to effectively and efficiently perform their work remotely.\n\nThe Commission has implemented a Citrix platform to provide remote access for its staff.\nThis Citrix platform provides users with remote access to data and a subset of standard\nwork applications.\n\nThe Commission\xe2\x80\x99s Addendum to the Strategic Plan for Fiscal Years 2009-2014 states the\nfollowing: \xe2\x80\x9cManagement Goal 4: Use information technology to support productivity\ngains.\xe2\x80\x9d To support this goal, this audit focused on the quality of the user experience\nwhen using Citrix remotely. In order for Commission staff to work remotely in a\nproductive manner, the Commission should provide an application that appears and\nfunctions like the desktop of a standard office workstation, correctly configure the system\nto minimize user effort, and use a complete set of information to facilitate management\nand support of that system.\n\nThe Commission\xe2\x80\x99s remote access system does not meet these criteria. Its Citrix\nimplementation provided a time-limited web application that required users to\nindividually launch applications as a separate window. The system required redundant\ndata entry and unnecessary delays to login, and each application launch caused additional\ndelay. Standard operations by users resulted in errors due to Citrix configuration or other\ninfrastructure problems, and the data generated by the platform provided only partial\ninformation that was insufficient to manage the system.\n\nWe identified three problem areas with the Commission\xe2\x80\x99s implementation of Citrix\nremote access. Below, we describe these three problem areas and their effect on\nproductivity, and we provide recommendations to improve the productivity of the\nCommission\xe2\x80\x99s staff while using the Citrix remote access platform.\n\n\n\n\nOIG-AR-13-01                               -1-\n\x0c                          U.S. International Trade Commission\n                                      Audit Report\n\n\n\n                                  Problem Areas\n\n                             Problem Area 1:\nThe Commission does not provide all staff with remote access that approximates\n                    the standard office PC experience.\n\nWhen Commission users login to their PC (personal computer) in the office, their screen\npresents them with a desktop providing access to their applications and data. Citrix\nprovides this function with its \xe2\x80\x9cDesktop\xe2\x80\x9d application. An example of the Citrix published\ndesktop application is seen below:\n\n                   Figure 1: Example of a Citrix Desktop application:\n\n\n\n\nThis feature allows users to efficiently launch a single application from Citrix remote\naccess, where they can access their applications and data. Once the desktop application is\nlaunched, all specific applications such as Outlook, Word, and others launch instantly just\nas they would from an office-based PC, and their appearance is identical to that on their\noffice PC.\n\n\n\n\nOIG-AR-13-01                               -2-\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\nTo attain the highest level of productivity while working remotely, select CIO staff had\naccess to this desktop application when using Citrix remote access. Other Commission\nstaff did not have access to the desktop application, and had to individually select and\nlaunch the applications from the Citrix Web Interface in their Internet browser:\n\n                   Figure 2: Application menu in Citrix Web Interface:\n\n\n\n\nEach of these applications must be launched one at a time. For example, launching\nMicrosoft Word opens a window for only this application. To use an additional\napplication, the user must return to the web browser on their local PC, access the Citrix\nWeb Interface application menu, and launch their next selected application. If the user\nhad not accessed the Citrix Web Interface application menu in the last 15 minutes, they\nwould be required to login once again. We recorded an average of 39 seconds to launch\nthe initial application from the Web Interface. In some cases, launching subsequent\napplications will require a similar delay.\n\nNot all standard applications are available when using Citrix remote access. For\nexample, Mozilla Firefox and Adobe Flash are found on all office PCs, but these\napplications were not available in Citrix. When users work in Citrix, their saved settings\nsuch as Internet Explorer favorites were missing. There is no technical reason preventing\nFirefox, Flash, and settings such as Internet Explorer favorites from being made available\nto Citrix users.\n\nThe effect of the lack of a remote access desktop application is that staff productivity is\nreduced while working remotely and using Citrix. Doing routine work requires a\ncumbersome method of accessing data and applications, and staff may not have access to\nthe information or programs they need to get their work done. The Commission can\nimprove productivity for all remote access users by providing them with the desktop\napplication, and ensuring that it offers all standard applications and user settings. We\nspoke with two Federal agencies providing Citrix remote access, and both provide the\ndesktop application to all staff.\n\n\n\nOIG-AR-13-01                               -3-\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\nRecommendation 1:\nProvide all Commission staff an interface, such as a desktop, that offers access to\nprograms similar to that of the office PC.\n\nRecommendation 2:\nSynchronize all possible user-configured desktop settings including Internet Explorer\nfavorites with users\xe2\x80\x99 remote access profiles.\n\nRecommendation 3:\nProvide all standard applications in remote access.\n\n\n                                Problem Area 2:\n         The Citrix configuration caused unnecessary delays and errors.\n\nA well configured Citrix remote access platform should allow staff to work efficiently\nanywhere by providing a streamlined login process and error-free operation. The\nCommission\xe2\x80\x99s Citrix configuration causes redundant data entry and delays in the login\nprocess, and prompts users with unnecessary errors and warnings when used for standard\noperations.\n\n1. Login inefficiency:\n\nThe Commission\xe2\x80\x99s Citrix login process can be configured to provide a single login\nscreen, similar to that provided by the Commission\xe2\x80\x99s webmail application. Two other\nFederal agencies were surveyed during the course of this audit, and both of them provide\nan efficient, single login screen, an example of which is seen below:\n\n                       Figure 3: Example of a single login screen:\n\n\n\n\nOIG-AR-13-01                               -4-\n\x0c                          U.S. International Trade Commission\n                                      Audit Report\n\n\n\nThis login screen prompted the user to read an access disclaimer, enter their user name,\npasscode, and password, and then press \xe2\x80\x9cLog On\xe2\x80\x9d to access their Citrix applications.\n\nIn contrast, the Commission\xe2\x80\x99s Citrix login process had been configured to be inefficient,\nrequiring unnecessary steps, delays, and redundant data entry across three separate\nscreens. The steps to login to the Commission\xe2\x80\x99s Citrix system were as follows:\n\n                      Figure 4: Commission Citrix Log On process:\n\n           1. On the first screen, users were required to enter their user name, then\n              passcode, then press the \xe2\x80\x9cLog On\xe2\x80\x9d button and wait for the next screen:\n\n\n\n\n           2. On the second screen, they were presented with a pre-logon message\n              where they must press the \xe2\x80\x9cOK\xe2\x80\x9d button and wait for yet another screen:\n\n\n\n\n           3. On the third screen, they again entered their user name, then type their\n              password, and press \xe2\x80\x9cLog On\xe2\x80\x9d to finally access the list of Citrix\n              applications.\n\n\n\n\nOIG-AR-13-01                               -5-\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\nThis redundant and inefficient process was the result of the Commission\xe2\x80\x99s configuration\nof Citrix, and was not due to a lack of capability on the part of Citrix. Citrix can be\nconfigured to provide a single login screen, similar to that provided by the Commission\xe2\x80\x99s\nwebmail application.\n\n2. Unnecessary Warnings and Errors:\n\nThe Commission configured Citrix to prompt users with errors and warnings when\naccessing standard applications. For example, users that launched the \xe2\x80\x9cUSITC Intranet\xe2\x80\x9d\napplication would encounter this if it happened to load from server 1.\n\n                              Figure 5: Unnecessary warning:\n\n\n\n\nThis message indicates that content from the site is being blocked for security reasons. In\nour analysis of the root cause of this issue, we found that the Citrix \xe2\x80\x9cUSITC Intranet\xe2\x80\x9d\napplication could be loaded from one of four servers. Three of the four servers do not\nexhibit this warning. This indicates that the servers were not configured consistently,\nresulting in a potentially different experience each time users access an application.\n\nUsers also experienced errors indicating that specific applications were not available.\nOur review of the Citrix configuration found that applications were sometimes not\ninstalled on the Citrix servers, and at other times, servers hosting applications were either\nshut down or otherwise offline. In one specific instance, Microsoft Visio was a published\nCitrix application. The Citrix web Applications menu indicated that it was available for\nuse in Citrix. However, it was impossible to load because Citrix had been configured to\nlaunchthe Visio application from a server where it was not installed. This problem was\n\n\nOIG-AR-13-01                                -6-\n\x0c                          U.S. International Trade Commission\n                                      Audit Report\n\n\n\nsolved by configuring Citrix to load the application from a server which did have Visio\ninstalled.\n\nThe CIO maintains a listing of \xe2\x80\x9cNon-essential Servers\xe2\x80\x9d, and at least one of the Citrix\nservers on this list was the only server performing a specific function, in this case,\nproviding Microsoft Visio. The fix for Visio in Citrix was short-lived, because the Visio\nserver was taken offline from May 25-31 when the office of the CIO turned off several\nservers to reduce heat in the server room. During this time, Visio was once again\nunavailable from the remote access platform.\n\nThe delays and unnecessary errors due to the remote access configuration frustrates staff\nby forcing them to learn new and inefficient ways to perform routine tasks, and trains\nthem to expect errors and warnings when performing standard operations. When users\nexpect errors, it undermines their confidence that they can be productive while working\non the Citrix remote access system.\n\nRecommendation 4:\nImplement a single login screen.\n\nRecommendation 5:\nImplement a standard, consistent baseline configuration for all remote access servers.\n\nRecommendation 6:\nUpdate the Commission\xe2\x80\x99s list of Non-Essential Servers to include the impact of taking\ndown specific remote access servers.\n\nRecommendation 7:\nManually test and confirm all existing applications to ensure they operate error- and\nwarning-free on all servers.\n\nRecommendation 8:\nImplement or update existing procedures to test all newly published applications to\nensure they operate error- and warning-free on all servers.\n\n\n\n                               Problem Area 3:\n    The partial information reported by Citrix monitoring was insufficient to\n                      manage the remote access platform.\n\nThe Commission\xe2\x80\x99s Citrix infrastructure consists of more than a dozen servers. It is\ndifficult to understand the configuration without reporting tools, and impossible to\nmanually gather and review the performance statistics and logged data of each of these\n\n\nOIG-AR-13-01                               -7-\n\x0c                           U.S. International Trade Commission\n                                        Audit Report\n\n\n\nservers. The Commission should implement and manage specific tools to understand the\nconfiguration and operations of its Citrix platform.\n\nTo manage and support the Citrix platform, the tools implemented should provide the\nfollowing capabilities:\n\n   1. Live connection information: who is connected to what?\n   2. Up-to-date historical connection information: who was connected to what?\n   3. Session performance data as it pertains to the user experience:\n         a. Initial application launch delay: how long does it take to launch an\n             application?\n         b. Session delay/screen latency: what lag do users experience? Is it just one\n             user (problem with user PC or their Internet connection), or is it all of\n             them (problem with Commission infrastructure or its Internet connection?)\n   4. Session shadowing: the ability to directly observe user issues and provide support\n      and diagnosis in real-time.\n   5. Configuration reporting: how is the platform configured?\n\nOnce the tools are installed, they must be configured correctly and periodically tested to\nensure they are operational.\n\nThe Commission is unable to effectively manage its Citrix platform because it relies on\npartial information, it doesn\xe2\x80\x99t use freely available tools to report on the configuration, and\nit does not supply its Help Desk staff with the tools to diagnose problems within the\nCitrix platform.\n\n1. Partial Information\n\nWhen we began this audit, we obtained access to the Commission\xe2\x80\x99s EdgeSight\nmonitoring tool. This tool was included with the Commission\xe2\x80\x99s licensed version of\nCitrix and was used by the OCIO to collect performance data for Citrix operations.\nWhen properly configured, it can provide comprehensive performance and operational\ndata that would be useful to identify and diagnose problems in the Citrix platform.\n\nWe planned to use EdgeSight data to understand the performance characteristics of the\nCommission\xe2\x80\x99s Citrix platform. After several days of testing, it became clear that\nsignificant amounts of data were missing from EdgeSight. A cursory review of the\nEdgeSight configuration showed that not all servers were reporting on the scheduled\ndaily basis. In the example below, three of the ten servers did not report as scheduled:\n\n\n\n\nOIG-AR-13-01                                -8-\n\x0c                          U.S. International Trade Commission\n                                        Audit Report\n\n\n\n                          Figure 6: Servers not uploading data:\n\n\n\n\nAn analysis of seven weeks of OCIO-provided data identified further evidence that\nEdgeSight was not properly reporting data. For different reasons, servers can\nperiodically be taken down for maintenance. While it is possible for them to be taken\ndown for extended periods of time, generally speaking, typical maintenance should only\nlast a day or less. In a frequently used environment, it could be expected to see activity\nfor most servers each day, and all servers each week. According to the Commission\xe2\x80\x99s\nEdgeSight data, servers were operational for an average of 34% for each of the seven\nweeks reported. EdgeSight reported that three servers were never used, and only one\nserver reported Citrix access for each of the seven weeks.\n\n                 Table 1: EdgeSight Evidence of Per-Server Citrix Use:\n\n\n             EdgeSight Evidence of Per-Server Citrix Use\n                                                                             Percent of\n                 7/2-   7/9-    7/16-    7/23-    7/30-   8/6-     8/13-      Weeks\n Server Name:    7/8    7/15    7/22     7/29      8/5    8/12     8/19     Operational:\nserver1           X      X                 X        X                                57%\nserver2           X      X       X         X        X      X         X             100%\nserver3                                    X        X      X                         43%\nserver4           X      X       X         X               X         X               86%\nserver6                                                                               0%\nserver7                                                                               0%\nserver8           X                                                                  14%\nserver9           X                        X                                         29%\nserver10          X                                                                  14%\nserver11                                                                              0%\n                                                                 Average:           34%\n\n\nOIG-AR-13-01                                -9-\n\x0c                          U.S. International Trade Commission\n                                      Audit Report\n\n\n\nWhen we initially spoke with the OCIO about this discrepancy, we were told that the\nservers were most likely down due to maintenance. When we discussed the issue again,\nwe were told that the three servers not reporting any data were reserved, and not in use.\nIn an effort to further understand the environment, we reviewed the Windows server logs\nto see whether they were had recorded signs of Citrix activity during the seven week\nperiod. We found that the logs did contain information indicating Citrix activity and we\nanalyzed this data to determine when the servers actively provided Citrix services to\nremote access users. The server logs reflect what the server actually did, and if\nEdgeSight was working correctly, it would have reflected this same information.\n\nWe compared the Windows server log data for two servers with the data reported by\nEdgeSight for the same seven week period. For one server, the Windows server log\nreported that Citrix was operational for four of the seven (57%) weeks, while according\nto EdgeSight, the server was operational for only one (14%). The other server was active\nfor all seven weeks (100%), but EdgeSight reported no activity (0%). EdgeSight was not\nproperly gathering data and the reported data was either absent, corrupt, or both. The\nCIO and his staff were unaware that their systems were not being monitored, and because\nthe data was incomplete, they did not know which of their servers were operational. This\nmeant that the OCIO had an inaccurate picture of the Citrix environment.\n\n           Table 2: Server Log Evidence of Activity Compared to EdgeSight:\n\n\n  Server Log Evidence of Activity Compared to EdgeSight\n                                                                    Percent of\n                   7/2-   7/9- 7/16- 7/23- 7/30-       8/6-   8/13-  Weeks\n                   7/8    7/15 7/22 7/29 8/5           8/12   8/19 Operational\nServer 8\nWindows             X                     X        X     X                   57%\nApplication Log\nServer 8\n                    X                                                        14%\nEdgeSight Data\nServer 6\n                    X      X      X       X        X     X      X           100%\nWindows Log\nServer 6\n                                                                              0%\nEdgeSight Data\n\nThe Commission should identify the servers that are not properly reporting data, resolve\nthese issues, and periodically monitor the health of EdgeSight to ensure that it is\ncollecting data from all servers. Otherwise, EdgeSight cannot serve its intended purpose,\nwhich is to inform staff so they can support and manage Citrix effectively.\n\n\n\n\nOIG-AR-13-01                              - 10 -\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\n2. Configuration Reporting:\n\nWhen Citrix applications are published, it is easy to misconfigure these applications if the\nadministrator is unaware of the location of installed software. Citrix does not report on\nmisconfiguration when an application is not available on the server specified in the Citrix\nconfiguration.\n\nTo help deal with this issue, Citrix provides a free software development kit (SDK) and\ninstructions to generate reports on its configuration. These tools can be used to validate\nsettings to ensure that everything is properly configured. The Commission did not use\nthese tools or other methods to assess its Citrix configuration, and the OCIO\xe2\x80\x99s lack of\nknowledge of the platform\xe2\x80\x99s design led directly to some of the errors experienced by\nusers.\n\nThese tools can efficiently document the installed applications of the Citrix servers, and\nfacilitate verification of settings to ensure that users do not experience errors due to\napplication misconfiguration.\n\n3. Help Desk:\n\nTo determine the effectiveness of support provided to remote users, we interviewed a\nnumber of Commission users for this audit. Every person interviewed expressed\nfrustration with the Citrix remote access system and all had difficulty getting specific\nhelp resolving their issues. In fact, we found that in one department, popular\ndissatisfaction reached a level that a single person was appointed as a liaison to the Help\nDesk to report on collective staff problems with Citrix.\n\nThe interviewees described a Help Desk troubleshooting process that focused on\nanalyzing problems with their home PC. Many of the issues they described indicated a\nproblem with the Commission\xe2\x80\x99s infrastructure, and not their home PC. None of those\ninterviewed described being told that a potential problem with the Citrix infrastructure\ncould be the cause of their issue, or that resolution of their problem would require\nescalation to operational staff.\n\nWe interviewed Help Desk staff to determine whether they had access to Citrix-specific\ntools to assist them as they attempted to resolve Citrix support requests. The staff\nresponded that they were able to use tools to diagnose problems with login credentials,\nbut they did not have access to tools to monitor or diagnose the Citrix platform. Help\nDesk personnel should be provided with access to Citrix-specific tools to quickly and\naccurately diagnose the cause of errors being experienced by users, or to escalate them to\nthe appropriate operational staff for resolution.\n\n\n\n\nOIG-AR-13-01                               - 11 -\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\nThe lack of effective support for Commission staff experiencing remote access problems\ndecreases their effectiveness and efficiency and results in reduced productivity when they\nattempt to work remotely.\n\nRecommendation 9:\nResolve issues preventing remote access servers from reporting status.\n\nRecommendation 10:\nImplement tools to document and report on applications provided by each remote access\nserver.\n\nRecommendation 11:\nProvide the Help Desk with tools to diagnose remote access problems.\n\n\n\n\n                Management Comments and Our Analysis\nOn October 18, 2012, Chairman Irving Williamson provided management comments on\nthe draft report. He agreed with the three problem areas, and stated that the Commission\nwill institute appropriate management decisions to address the recommendations. The\nChairman\xe2\x80\x99s response is provided in its entirety as Appendix A.\n\n\n\n                     Objective, Scope, and Methodology\nObjective:\n\nDoes the USITC\xe2\x80\x99s Citrix platform provide the capabilities necessary for Commission\nstaff to effectively and efficiently perform their work remotely?\n\nScope:\n\nThis audit focused on the implementation and capabilities of the Commission\xe2\x80\x99s Citrix\nremote access system as it existed on April 4, 2012.\n\nMethodology:\n\n         1. We identified and interviewed users of the current remote access system.\n\n\n\n\nOIG-AR-13-01                               - 12 -\n\x0c                          U.S. International Trade Commission\n                                       Audit Report\n\n\n\n       2. We reviewed performance statistics of the system, login duration, session\n          latency, and other characteristics.\n       3. We identified factors that could affect system performance.\n       4. We analyzed resiliency of the current system, including single points of\n          failure.\n       5. We identified causes of failure within the infrastructure.\n       6. We identified any features available on workstations not included in the Citrix\n          system.\n       7. We compared ITC\xe2\x80\x99s Citrix implementation performance and capabilities\n          against other Federal agency implementations.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-13-01                               - 13 -\n\x0c                U.S. International Trade Commission\n\n                           Appendix A\n\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-13-01                   -A-\n\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870\xe2\x80\x99s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'